← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #116713

[Bug 1501959] Re: "System error" on chfn / su with lxc-start --share-net

  Thread PreviousDate PreviousThread Next 
Any reason you're running those commands as the container PID1 instead
of starting the container and using lxc-attach to run the commands
inside it?

What you're doing right now is unsupported as neither chfn nor su are
init processes, so they will not know how to setup the container or
handled other tasks that init is in charge of (signal handling, child
re-parenting and reaping, ...).

** Changed in: lxc (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1501959

Title:
  "System error" on chfn / su with lxc-start --share-net

Status in lxc package in Ubuntu:
  Incomplete

Bug description:
  When running `lxc-start --share net 1` on a trusty host with a trusty
  container, chfn / su (and presumably other utilities which use PAM)
  fail.

  Test case:

  lxc-create -t ubuntu -n test1
  cat >/var/lib/lxc/test1/rootfs/config <<EOM
  lxc.include = /usr/share/lxc/config/ubuntu.common.conf
  lxc.rootfs = /var/lib/lxc/test1/rootfs
  lxc.mount = /var/lib/lxc/test1/fstab
  lxc.utsname = test1
  lxc.arch = amd64
  EOM
  lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root
  lxc-start -n test1 -F --share-net 1 -- su -

  Output:

  # lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root
  chfn: PAM: System error
  lxc-start: lxc_start.c: main: 342 The container failed to start.
  lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options.
  # lxc-start -n test1 -F --share-net 1 -- su -
  su: System error
  lxc-start: lxc_start.c: main: 342 The container failed to start.
  lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options.

  Issues in Docker e.g. https://github.com/docker/docker/issues/6345
  suggest it's because the AUDIT_WRITE capability is not being set, but
  it doesn't seem to be the case here as LXC by default is doing
  subtractive caps:

  # lxc-info --name test1 -c lxc.cap.keep -c lxc.cap.drop
  lxc.cap.keep =
  lxc.cap.drop = sys_module
  mac_admin
  mac_override
  sys_time

  This issue also appears to have been found in LP: #1430891, but was
  worked around rather than addressed.

  Running without --share-net doesn't exhibit this problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1501959/+subscriptions

References

  Thread PreviousDate PreviousThread Next